Re: [Openvpn-devel] [PATCH] Document the inlining of files in openvpn and document key-direction

[Gert Doering]

Hi,

On Thu, Aug 23, 2012 at 11:21:00PM +0200, Arne Schwabe wrote:
> This patch documents the usage of inline files in OpenVPN. Hackish ways of 
> inline files are deliberately left out. For tls-auth and

ACK.

(This is far too useful to be left undocumented :-) )

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpyS4aOHddz7.pgp
Description: PGP signature

[Openvpn-devel] [PATCH] Document the inlining of files in openvpn and document key-direction

[Arne Schwabe]

This patch documents the usage of inline files in OpenVPN. Hackish ways of 
inline files are deliberately left out. For tls-auth and
secret the key-direction option is right way of specifying the direction and 
not by using two tls-auth/secret lines where the first sets the direction and 
has a dummy file name and the second sets the inline file data but does not 
reset the direction parameter.

Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the 
config parser works

Signed-off-by: Arne Schwabe 
---
 doc/openvpn.8 |   39 +++
 1 file changed, 39 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index a821b5e..49348e4 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3615,6 +3615,14 @@ would see nothing
 but random-looking data.
 .\"*
 .TP
+.B \-\-key-direction
+Alternative way of specifying the optional direction parameter for the
+.B \-\-tls-auth
+and
+.B \-\-secret
+options. Useful when using inline files (See section on inline files).
+.\"*
+.TP
 .B \-\-auth alg
 Authenticate packets with HMAC using message
 digest algorithm
@@ -5895,6 +5903,37 @@ X509_1_C=KG
 .ft
 .fi
 .\"*
+.SH INLINE FILE SUPPORT
+OpenVPN allows including files in the main configuration for the 
+.B \-\-ca, \-\-cert, \-\-dh, \-\-extra-certs, \-\-key, \-\-pkcs12, \-\-secret
+and
+.B \-\-tls-auth 
+options. 
+
+Each inline file started by the line 
+.B 
+and ended by the line
+.B 
+
+Here is an example of an inline file usage
+
+.nf
+.ft 3
+.in +4
+
+-BEGIN CERTIFICATE-
+[...]
+-END CERTIFICATE-
+
+.in -4
+.ft
+.fi
+
+When using the inline file feature with 
+.B \-\-pkcs12 
+the inline file has to be base64 encoded. Encoding of a .p12 file into base64 
can be done for example with OpenSSL by running
+.B openssl base64 -in input.p12 
+
 .SH SIGNALS
 .TP
 .B SIGHUP
-- 
1.7.9.5

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 23/08/12 17:30, Amm Vpn wrote:
> 
> Currently openvpn BLINDLY runs any script which in my opinion is
> too dangerous. One breach and intruder can simply erase your whole
> harddisk.

Agreed.

> My idea of script-dir is taken from sendmail concept of smrsh. 
> http://www.faqs.org/docs/securing/chap22sec182.html
> 
> In my case person does not have direct access to machine. But only
> to config file. Now if I make sure that he cant change script-dir,
> it secures my whole machine.
> 
> Otherwise there is noway I can give access to config file to him
> without worrying about him running "rm -rf /"
> 
> Hope I am able to convey my idea. Just trying to patch a flaw in
> openvpn, in my opinion

But you forget one detail.  OpenVPN options can be overridden by just
appending an extra --script-dir at the command line, due to the nature
of the option parser.  Which is the same situation for
- --script-security as well.  Your patch has the same flaw as
- --script-security.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA2TzgACgkQDC186MBRfrrWwgCeOHVUDUWVfSPVoFSSet1BlBU8
fQMAn0Pw9ia3cKkW1wXe3R65brcjHmIV
=ZBlP
-END PGP SIGNATURE-

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Eric Crist]

On Aug 23, 2012, at 10:30:51, Amm Vpn  wrote:

> - Original Message -
>> From: Eric Crist 
>> To: Amm Vpn 
>> Cc: Heiko Hund ; 
>> "openvpn-devel@lists.sourceforge.net" 
>> Sent: Thursday, 23 August 2012 8:19 PM
>> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
>  
>>> So best is to make OpenVPN itself secure. And run only scripts from 
>>> particular directory. (script-dir)
> 
> 
>> I don't really see how this adds any security.  Perhaps it makes it easier 
>> to code your front-end, but it doesn't offer anything in the way of 
>> security, since it's an option passed in the config or on the command line, 
>> it can be changed at-will by whomever runs the program.
> 
> Umm, same applies for script-security parameter as well. How does that add 
> security?
> If person has access to config file he can change script-security level as 
> well and then
> run any RANDOM command at his will.
> 
> So why was such an option added too? Please do not assume that it will be 
> only you who would
> be modifying config file. In my case I have to allow access to subordinate.
> 
> My point here is script-security does not really give you TRUE security.
> 
> Script-dir makes sure that ONLY script from particular directory (say 
> /etc/openvpn/scripts)
> are run. This should infact be hardcoded in openvpn at compile time. (which 
> my patch
> does not do yet but instead made is config option)
> 
> Any script NOT in that directory should not be run at all.
> 
> Currently openvpn BLINDLY runs any script which in my opinion is too 
> dangerous. One
> breach and intruder can simply erase your whole harddisk.
> 
> My idea of script-dir is taken from sendmail concept of smrsh.
> http://www.faqs.org/docs/securing/chap22sec182.html
> 
> In my case person does not have direct access to machine. But only to config 
> file.
> Now if I make sure that he cant change script-dir, it secures my whole 
> machine.
> 
> Otherwise there is noway I can give access to config file to him without 
> worrying
> about him running "rm -rf /"
> 
> Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in 
> my opinion

I still think this doesn't help anything that can't be solved in your own GUI.  
Simply make sure that you prepend the full path on any scripts setup from your 
front-end and you help your own cause.  Additionally, strip any pathing from 
the supplied arguments.  script-security was added by James before the 
community got heavily involved in development, so I can't say as to the real 
reasons for that change.  I am still thinking this is an unneeded patch with 
too-narrow a scope.

-
Eric F Crist

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

- Original Message -
> From: Eric Crist 
> To: Amm Vpn 
> Cc: Heiko Hund ; "openvpn-devel@lists.sourceforge.net" 
> 
> Sent: Thursday, 23 August 2012 8:19 PM
> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
 
>>  So best is to make OpenVPN itself secure. And run only scripts from 
>> particular directory. (script-dir)


> I don't really see how this adds any security.  Perhaps it makes it easier 
> to code your front-end, but it doesn't offer anything in the way of 
> security, since it's an option passed in the config or on the command line, 
> it can be changed at-will by whomever runs the program.

Umm, same applies for script-security parameter as well. How does that add 
security?
If person has access to config file he can change script-security level as well 
and then
run any RANDOM command at his will.

So why was such an option added too? Please do not assume that it will be only 
you who would
be modifying config file. In my case I have to allow access to subordinate.

My point here is script-security does not really give you TRUE security.

Script-dir makes sure that ONLY script from particular directory (say 
/etc/openvpn/scripts)
are run. This should infact be hardcoded in openvpn at compile time. (which my 
patch
does not do yet but instead made is config option)

Any script NOT in that directory should not be run at all.

Currently openvpn BLINDLY runs any script which in my opinion is too dangerous. 
One
breach and intruder can simply erase your whole harddisk.

My idea of script-dir is taken from sendmail concept of smrsh.
http://www.faqs.org/docs/securing/chap22sec182.html

In my case person does not have direct access to machine. But only to config 
file.
Now if I make sure that he cant change script-dir, it secures my whole machine.

Otherwise there is noway I can give access to config file to him without 
worrying
about him running "rm -rf /"

Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in my 
opinion    

Amm

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Eric Crist]

On Aug 23, 2012, at 09:45:14, Amm Vpn  wrote:

>> Hi
>> 
>> On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote:
>>> So my idea was
>>> 1) Add a new option called script-dir
>>> 2) Frontend will not allow word "script-dir" in config file (so admin cant
>>> change it) 
>>> 3) script-dir will be passed on command line
>>> 
>>> This way admin can not run anything other than what I have put in
>>> script-dir. This also helps prevent accidentally run script in some other
>>> path.
>> 
>> As this is very specific to you frontend, why doesn't your frontend simple 
>> check the path names in the config for correctness before deploying it?
> 
> Umm, I suppose this feature may be useful for other purposes. Atleast adds a 
> level of security.
> 
> Regarding my frontend, frontend is very basic, Simple textarea in a form.
> I do not want to complicate it by parsing each line, each type of config 
> value and verifying them for
> correctness and secureness.
> 
> Also want it to be forward compatible, in a sense, lets say tomorrow some 
> other config is
> introduced which runs some other script. Then I do not want to re-code my 
> frontend to
> check for new config entry.
> 
> So best is to make OpenVPN itself secure. And run only scripts from 
> particular directory. (script-dir)


I don't really see how this adds any security.  Perhaps it makes it easier to 
code your front-end, but it doesn't offer anything in the way of security, 
since it's an option passed in the config or on the command line, it can be 
changed at-will by whomever runs the program.

-
Eric F Crist

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Heiko Hund]

Hi

On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote:
> So my idea was
> 1) Add a new option called script-dir
> 2) Frontend will not allow word "script-dir" in config file (so admin cant
> change it) 
> 3) script-dir will be passed on command line
> 
> This way admin can not run anything other than what I have put in
> script-dir. This also helps prevent accidentally run script in some other
> path.

As this is very specific to you frontend, why doesn't your frontend simple 
check the path names in the config for correctness before deploying it?

Regards
Heiko
-- 
Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200
SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany

[Openvpn-devel] patch for 2.2.2 to include --script-dir

[ammdispose-...@yahoo.com]

Hello all,

I am submitting a minor patch which includes an option to specify --script-dir.
i.e. any user defined script will be run ONLY IF it is present in "script-dir".

The reason I needed this is because I had a frontend to configuration file 
which allowed administrator to change configuration.

I also have script-security set to 2 because I wanted to run a script when 
client connects.

These two option make it insecure. As admin (with bad intention or if admin 
password is leaked) can simply call "rm -rf /" for certain commands.

So my idea was
1) Add a new option called script-dir
2) Frontend will not allow word "script-dir" in config file (so admin cant 
change it)
3) script-dir will be passed on command line

This way admin can not run anything other than what I have put in script-dir. 
This also helps prevent accidentally run script in some other path.

Patch also fixes minor bug in init.c where warning for SSEC_PW_ENV actually 
would never be shown.



So please have a look at it and if acceptable then merge in source tree.

Thanks

AMM.
--- openvpn-2.2.2/init.c	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/init.c	2012-08-21 11:53:22.809410085 +0530
@@ -2291,9 +2291,13 @@
 #endif
 
   if (script_security >= SSEC_SCRIPTS)
-msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
-  else if (script_security >= SSEC_PW_ENV)
-msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+{
+  msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
+  if (script_security >= SSEC_PW_ENV)
+msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+  if (script_dir == NULL)
+msg (M_WARN, "WARNING: setting --script-dir is recommended for higher security");
+}
   else
 msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
 
--- openvpn-2.2.2/misc.c	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/misc.c	2012-08-21 12:27:24.332296778 +0530
@@ -45,6 +45,7 @@
 
 /* contains an SSEC_x value defined in misc.h */
 int script_security = SSEC_BUILT_IN; /* GLOBAL */
+const char *script_dir = NULL; /* GLOBAL */
 
 /* contains SM_x value defined in misc.h */
 int script_method = SM_EXECVE; /* GLOBAL */
@@ -484,10 +485,14 @@
 }
 
 bool
-openvpn_execve_allowed (const unsigned int flags)
+openvpn_execve_allowed (const char *cmd, const unsigned int flags)
 {
   if (flags & S_SCRIPT)
-return script_security >= SSEC_SCRIPTS;
+{
+  if (script_dir != NULL && strncmp(script_dir, cmd, strlen(script_dir)))
+	return false;
+  return script_security >= SSEC_SCRIPTS;
+}
   else
 return script_security >= SSEC_BUILT_IN;
 }
@@ -509,11 +514,11 @@
   if (a && a->argv[0])
 {
 #if defined(ENABLE_EXECVE)
-  if (openvpn_execve_allowed (flags))
+  const char *cmd = a->argv[0];
+  if (openvpn_execve_allowed (cmd, flags))
 	{
 	  if (script_method == SM_EXECVE)
 	{
-	  const char *cmd = a->argv[0];
 	  char *const *argv = a->argv;
 	  char *const *envp = (char *const *)make_env_array (es, true, );
 	  pid_t pid;
--- openvpn-2.2.2/misc.h	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/misc.h	2012-08-21 12:10:59.916050919 +0530
@@ -133,7 +133,7 @@
 /* wrapper around the execve() call */
 int openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags);
 bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message);
-bool openvpn_execve_allowed (const unsigned int flags);
+bool openvpn_execve_allowed (const char *cmd, const unsigned int flags);
 int openvpn_system (const char *command, const struct env_set *es, unsigned int flags);
 
 static inline bool
@@ -353,6 +353,7 @@
 #define SSEC_SCRIPTS   2 /* allow calling of built-in programs and user-defined scripts */
 #define SSEC_PW_ENV3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
 extern int script_security; /* GLOBAL */
+extern const char *script_dir; /* GLOBAL */
 
 #define SM_EXECVE 0  /* call external programs with execve() or CreateProcess() */
 #define SM_SYSTEM 1  /* call external programs with system() */
--- openvpn-2.2.2/options.c	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/options.c	2012-08-21 11:33:15.955648666 +0530
@@ -218,6 +218,7 @@
   "  1 -- (default) only call built-ins such as ifconfig\n"
   "  2 -- allow calling of built-ins and scripts\n"
   "  3 -- allow password to be passed to scripts via env\n"
+  "--script-dir dir: Only run user-defined scripts if it